How to Secure Your Mac From Potential Theft

My residence was recently broken into (the alarm malfunctioned on entry and only went off as the thieves left) and two Mac laptops were taken. Luckily, I have good insurance and had an up to date Time Machine backup.

Over the past week, I’ve learned some additional things I could have done to prepare for this eventuality. My house had also been broken into ten years ago.

Here’s a summary of what you should do to prepare your Macs right now for the possibility of theft. It won’t eliminate theft but it will greatly reduce the damage from such events and make it more likely that your device will return to you.

1. Use a Password Manager. I’m a longtime user and strong advocate for 1Password. I like that it also allows me to store secure notes. 1Password makes it easy to avoid the habit of re-using passwords amongst multiple sites. It also syncs passwords across multiple Macs, iPhones, iPads et al. If instead you do not use a password-based login for your Mac and save all your passwords in your browser, a thief would very quickly be able to login in to most all of your accounts.2. Turn on File Vault. File Vault encrypts your Mac’s hard drive and automatically turns off automatic login, requiring you provide a password to log in to your Mac. By turning off automated login, FileVault makes it more difficult for thieves to access your laptop data without your password. If they take your hard drive out of your Mac, they won’t be able to easily decrypt your personal data from another device. See System Preferences -> Security & Privacy -> FileVault. Store a copy of the File Vault encryption key somewhere safe – such as a secure note in 1Password.

FileVault also restricts the guest account you’ll set up below from accessing anything other than Safari to browse the web.

Update: See at bottom for more information about File Vault and theft recovery software.

3. Set a Firmware Password.This is critical. Setting a firmware password will prevent anyone from reformatting your hard drive without your password. This will also make it difficult for them to defeat anti-theft software we’ll describe below. Restart your Mac. When the grey screen appears, hold down Command-R. Once the Recover System app starts, open the Utilities menu and select Set Firmware Password. Save this password somewhere safe or in 1Password or you won’t ever be able to modify the lower level configuration of your Mac. Note: If you ever sell or give away your Mac, you’ll likely want to remove this password or change it to something simple you can share with the new owner.

4. Install Theft Recovery Software. The goal of theft recovery software is to get the Internet IP address of your laptop if the thief or eventual purchaser reconnects it to the Internet – I saw one statistic that said that 90% of stolen laptops reappear on the Internet within a few weeks. However, if you don’t set a firmware password – the hard drive can be easily reformatted – which will defeat these features. You can use your iCloud’s built-in Find My Mac capability (free) or purchase software such as Lojack For Laptops Standard $39 (annually), Orbicule’s Undercover (flat $49-$59 fee) or Prey (free or pro available) (also works for iPhones & iPads). The latter two surreptitiously photograph the thief using your computer. I don’t have a strong recommendation for any of these however it seems that the Lojack team has an active effort in collaboration with U.S.-based law enforcement. Sometimes victims of theft may get an IP address of their Mac but the police are not willing to respond to the data. Apparently, the Lojack team has success in getting police response to their software.

5. Create a Guest User Account. The purpose of the guest user account is to make it more likely that the thief or someone downstream will login in to your Mac on the Internet and allow the IP address to be determined by your theft recovery software. If you turned on File Vault, the guest user account will be limited to Safari web browsing and not able to see your local files. If you don’t leave a guest account and you activate FileVault and Firmware Passwords, then your Mac will essentially be a useless brick to the thief – and they might throw it away. The guest account moderately increases the likelihood someone will connect the device to the Internet.

6. Set up Time Machine. Apple’s Time Machine works quite well. Use it with an external hard drive or network-based Time Capsule. Using a network-based approach is advisable with laptops, as they can update their backups with Time Machine over wi-fi and don’t have to be physically connected to a hard drive. I had luckily made sure my Time Machine backup was up to date before I left to travel and within 12 hours, I had restored all my data to a new laptop. I didn’t have to do anything to reconfigure my new laptop – it was now identical to the configuration I’d had before.

7. Subscribe to a Cloud Based Backup Service. I’ve begun using Crash Plan ($60 annually) but many people use BackBlaze. I like Crash Plan because it makes it easier to backup external hard drives whereas BackBlaze has some restrictions on these. If the hard drive with my Time Machine backup is also stolen, all my data will be available in the cloud. Cloud-based backups are also useful in case of hard drive failures which are quite common as drives age several years.

9. Use Dropbox and Google Drive for Daily Work. Increasingly, I use Dropbox to synchronize my current work files across my Macs. This also provides a small, free cloud-based backup of stuff I’m working on. I also use Google Drive for more and more documents – which are all stored online. Dropbox, by the way, also tracks the IP address of your Mac, should a stolen one be reconnected to the Internet (See Settings -> Security -> Device list). A colleague also recommends BoxCryptor to remotely encrypt your cloud-based documents.

10. Set Login Screen Message. You can set a message on your login screen such as “Property of Joan Smith. Please contact me at …” which anyone with physical access to your Mac will see. It’s like a personalized software engraving for your Mac. See Preferences -> Security & Privacy -> General -> Show a message when the screen is locked.

There is conflicting information about whether use of File Vault 2 interferes with Theft Recovery Software. I’ve asked several vendors and honestly, all the information still conflicts – so you’ll have to experiment on your own.

The issue is whether or not the guest account that allows Safari login actually allows the theft recovery software to activate itself during this process – or not.

LoJack was very responsive and seems to say if installed correctly, that it works – but I’m skeptical.

There should be no problems with LoJack working work any encryption software, including FileVault 2. However, please be aware that if you are using encryption software on your device, you should fully decrypt the drive before installation of LoJack. Once the installation has been successful, you may re-encrypt the drive.

In all other regards, LoJack is fully compatible with FileVault 2.

With Mac devices, LoJack does not write to a boot sector, so the chances of corruption are non-existent. LoJack will write to certain system folders, and if the device is encrypted, these writes can sometimes fail to occur. When this happens, the installer will universally error out. For this reason, as a rule, we will always recommend decryption of a drive first, to ensure that the installation will run more smoothly and without errors.

Undercover which relies on the same software capabilities says the opposite:

Undercover is indeed unfortunately not compatible with FileVault 2 (Full Disk Encryption), as this will not allow the Mac to boot (only on the recovery partition, where Undercover cannot be installed), unless you know the password. As a result, no applications can be run without the password. This includes Undercover, and even Apple’s own Find My Mac software.

So basically you have to choose between protecting your data with FileVault or having a chance to recover your Mac. I’m sorry to say this, but this is how Apple has designed FileVault 2.